deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Task ID 33452921 - edited some appendix items

Browse Source 
Also increased column spacing for the tables.
This commit is contained in:
Kim Klein
2021-05-28 12:13:29 -07:00
parent dd1035c3be
commit 1f87678437
1 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
View File

@ -29,7 +29,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
## Microsoft Windows CodeIntegrity Operational log event IDs ## Microsoft Windows CodeIntegrity Operational log event IDs
| Event ID | Explanation | | Event ID | Explanation |
|---|----------| | -------- | ----------- |
| 3076 | Audit executable/dll file | | 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file | | 3077 | Block executable/dll file |
| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
@ -38,7 +38,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
## Microsoft Windows Applocker MSI and Script log event IDs ## Microsoft Windows Applocker MSI and Script log event IDs
| Event ID | Explanation | | Event ID | Explanation |
|---|----------| | -------- | ----------- |
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
| 8029 | Block script/MSI file | | 8029 | Block script/MSI file |
| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | | 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation | | Event ID | Explanation |
|---|----------| | -------- | ----------- |
| 3090 | Allow executable/dll file | | 3090 | Allow executable/dll file |
| 3091 | Audit executable/dll file | | 3091 | Audit executable/dll file |
| 3092 | Block executable/dll file | | 3092 | Block executable/dll file |
@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t
Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
| Name | Explanation | | Name | Explanation |
|---|----------| | -------- | ----------- |
| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | | StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
| ManagedInstallerEnabled | Policy trusts a MI | | ManagedInstallerEnabled | Policy trusts a MI |
| PassesManagedInstaller | File originated from a trusted MI | | PassesManagedInstaller | File originated from a trusted MI |
@ -85,7 +85,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
## Appendix ## Appendix
A list of other relevant event IDs and their corresponding description. A list of other relevant event IDs and their corresponding description.
| Event ID | Description | | Event ID | Description |
|---|----------| | -------- | ----------- |
| 3001 | An unsigned driver was attempted to load on the system. | | 3001 | An unsigned driver was attempted to load on the system. |
| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. | | 3002 | Code Integrity could not verify the boot image as the page hash could not be found. |
| 3004 | Code Integrity could not verify the file as the page hash could not be found. | | 3004 | Code Integrity could not verify the file as the page hash could not be found. |
@ -98,16 +98,16 @@ A list of other relevant event IDs and their corresponding description.
| 3033 | The file under validation did not meet the requirements to pass the application control policy. | | 3033 | The file under validation did not meet the requirements to pass the application control policy. |
| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. |  | 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. | 
| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. | | 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
| 3064 | A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. The DLL was allowed since the policy is in audit mode. |  | 3064 | If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. | 
| 3065 | [Ignored] A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. | | 3065 | [Ignored] If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. |
| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | | 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
| 3075 | This event monitors the performance of the Code Integrity policy check a file. | | 3075 | This event monitors the performance of the Code Integrity policy check a file. |
| 3079 | The file under validation did not meet the requirements to pass the application control policy. | | 3079 | The file under validation did not meet the requirements to pass the application control policy. |
| 3080 | The file under validation would not have me the requirements to pass the application control policy, if the policy was in enforced mode. | | 3080 | If the policy was in enforced mode, the file under validation would not have meet the requirements to pass the application control policy. |
| 3081 | The file under validation did not meet the requirements to pass the application control policy. | | 3081 | The file under validation did not meet the requirements to pass the application control policy. |
| 3082 | The non-WHQL driver would have been denied by the policy, if the policy was in enforced mode. | | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
| 3084 | Code Integrity will enforce theWHQL Required policy setting on this session. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
| 3085 | Code Integrity will not enforce theWHQL Required policy setting on this session. | | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | | 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. |
| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. |
| 3097 | The Code Integrity policy cannot be refreshed. | | 3097 | The Code Integrity policy cannot be refreshed. |